C#: Re-factor the Api SourceNode implementation to be based on abstract classes and only use it where relevant sources are added.

michaelnebel · michaelnebel · commit 76aed363bb47 · 2024-04-29T16:22:08.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
@@ -15,7 +15,7 @@ private import semmle.code.csharp.security.SensitiveActions
 /**
  * A data flow source for user-controlled bypass of sensitive method.
  */
-abstract class Source extends DataFlow::Node { }
+abstract class Source extends ApiSourceNode { }
 
 /**
  * A data flow sink for user-controlled bypass of sensitive method.
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/ApiSources.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/ApiSources.qll
@@ -1,77 +1,14 @@
 /** Provides classes representing various flow sources for data flow / taint tracking. */
 
-private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import FlowSources as FlowSources
 
-/**
- * A data flow source node.
- */
-abstract class SourceNode extends DataFlow::Node { }
+final class SourceNode = FlowSources::SourceNode;
 
 /**
- * Module that adds all sources to `SourceNode`, excluding source for cryptography based
- * queries, and queries where sources are not succifiently explicit or mainly hardcoded constants.
+ * Module that adds all API like sources to `SourceNode`, excluding some sources for cryptography based
+ * queries, and queries where sources are not succifiently defined (eg. using broad method name matching).
  */
-private module AllSources {
-  private import FlowSources as FlowSources
-  private import semmle.code.csharp.security.cryptography.HardcodedSymmetricEncryptionKey
-  private import semmle.code.csharp.security.dataflow.CleartextStorageQuery as CleartextStorageQuery
-  private import semmle.code.csharp.security.dataflow.CodeInjectionQuery as CodeInjectionQuery
+private module AllApiSources {
   private import semmle.code.csharp.security.dataflow.ConditionalBypassQuery as ConditionalBypassQuery
-  private import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformationQuery as ExposureOfPrivateInformationQuery
-  private import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery as HardcodedCredentialsQuery
-  private import semmle.code.csharp.security.dataflow.LDAPInjectionQuery as LdapInjectionQuery
-  private import semmle.code.csharp.security.dataflow.LogForgingQuery as LogForgingQuery
-  private import semmle.code.csharp.security.dataflow.MissingXMLValidationQuery as MissingXmlValidationQuery
-  private import semmle.code.csharp.security.dataflow.ReDoSQuery as ReDosQuery
-  private import semmle.code.csharp.security.dataflow.RegexInjectionQuery as RegexInjectionQuery
-  private import semmle.code.csharp.security.dataflow.ResourceInjectionQuery as ResourceInjectionQuery
-  private import semmle.code.csharp.security.dataflow.SqlInjectionQuery as SqlInjectionQuery
-  private import semmle.code.csharp.security.dataflow.TaintedPathQuery as TaintedPathQuery
-  private import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery as UnsafeDeserializationQuery
-  private import semmle.code.csharp.security.dataflow.UrlRedirectQuery as UrlRedirectQuery
-  private import semmle.code.csharp.security.dataflow.XMLEntityInjectionQuery as XmlEntityInjectionQuery
-  private import semmle.code.csharp.security.dataflow.XPathInjectionQuery as XpathInjectionQuery
   private import semmle.code.csharp.security.dataflow.ZipSlipQuery as ZipSlipQuery
-
-  private class FlowSourcesSources extends SourceNode instanceof FlowSources::SourceNode { }
-
-  private class CodeInjectionSource extends SourceNode instanceof CodeInjectionQuery::Source { }
-
-  private class ConditionalBypassSource extends SourceNode instanceof ConditionalBypassQuery::Source
-  { }
-
-  private class LdapInjectionSource extends SourceNode instanceof LdapInjectionQuery::Source { }
-
-  private class LogForgingSource extends SourceNode instanceof LogForgingQuery::Source { }
-
-  private class MissingXmlValidationSource extends SourceNode instanceof MissingXmlValidationQuery::Source
-  { }
-
-  private class ReDosSource extends SourceNode instanceof ReDosQuery::Source { }
-
-  private class RegexInjectionSource extends SourceNode instanceof RegexInjectionQuery::Source { }
-
-  private class ResourceInjectionSource extends SourceNode instanceof ResourceInjectionQuery::Source
-  { }
-
-  private class SqlInjectionSource extends SourceNode instanceof SqlInjectionQuery::Source { }
-
-  private class TaintedPathSource extends SourceNode instanceof TaintedPathQuery::Source { }
-
-  private class UnsafeDeserializationSource extends SourceNode instanceof UnsafeDeserializationQuery::Source
-  { }
-
-  private class UrlRedirectSource extends SourceNode instanceof UrlRedirectQuery::Source { }
-
-  private class XmlEntityInjectionSource extends SourceNode instanceof XmlEntityInjectionQuery::Source
-  { }
-
-  private class XpathInjectionSource extends SourceNode instanceof XpathInjectionQuery::Source { }
-
-  /**
-   * Add all models as data sources.
-   */
-  private class SourceNodeExternal extends SourceNode {
-    SourceNodeExternal() { sourceNode(this, _) }
-  }
 }
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll
@@ -32,3 +32,18 @@ class ThreatModelFlowSource extends DataFlow::Node {
     )
   }
 }
+
+/**
+ * A data flow source node for an API, which should be considered
+ * supported from a modeling perspective.
+ */
+abstract class ApiSourceNode extends DataFlow::Node { }
+
+private class AddSourceNodes extends ApiSourceNode instanceof SourceNode { }
+
+/**
+ * Add all models as data sources.
+ */
+private class ApiSourceNodeExternal extends ApiSourceNode {
+  ApiSourceNodeExternal() { sourceNode(this, _) }
+}
diff --git a/csharp/ql/src/Telemetry/ExternalApi.qll b/csharp/ql/src/Telemetry/ExternalApi.qll
@@ -8,7 +8,7 @@ private import semmle.code.csharp.dataflow.internal.DataFlowDispatch as DataFlow
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
 private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
-private import semmle.code.csharp.security.dataflow.flowsources.ApiSources
+private import semmle.code.csharp.security.dataflow.flowsources.ApiSources as ApiSources
 private import semmle.code.csharp.security.dataflow.flowsinks.ApiSinks as ApiSinks
 private import TestLibrary
 
@@ -85,7 +85,7 @@ class ExternalApi extends Callable {
 
   /** Holds if this API is a known source. */
   pragma[nomagic]
-  predicate isSource() { this.getAnOutput() instanceof SourceNode }
+  predicate isSource() { this.getAnOutput() instanceof ApiSources::SourceNode }
 
   /** Holds if this API is a known sink. */
   pragma[nomagic]

Original file line number	Diff line number	Diff line change
`@@ -32,3 +32,18 @@ class ThreatModelFlowSource extends DataFlow::Node {`
`32`	`32`	`)`
`33`	`33`	`}`
`34`	`34`	`}`
	`35`	`+`
	`36`	`+/**`
	`37`	`+ * A data flow source node for an API, which should be considered`
	`38`	`+ * supported from a modeling perspective.`
	`39`	`+ */`
	`40`	`+abstract class ApiSourceNode extends DataFlow::Node { }`
	`41`	`+`
	`42`	`+private class AddSourceNodes extends ApiSourceNode instanceof SourceNode { }`
	`43`	`+`
	`44`	`+/**`
	`45`	`+ * Add all models as data sources.`
	`46`	`+ */`
	`47`	`+private class ApiSourceNodeExternal extends ApiSourceNode {`
	`48`	`+ ApiSourceNodeExternal() { sourceNode(this, _) }`
	`49`	`+}`